workspace-doctor
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The shell script
scripts/doctor.shemploys theevalcommand to run health checks extracted from theWORKSPACE.mdfile. This pattern allows any string located in the configuration file to be executed directly by the shell without validation. - [REMOTE_CODE_EXECUTION]: The skill is designed to interact with project workspaces that may be cloned from untrusted remote sources. A malicious repository can include a
WORKSPACE.mdfile containing harmful shell commands (such as those for data exfiltration) that will be executed when the user runs the 'doctor' skill. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by processing instructions from the
WORKSPACE.mdfile without sanitization. - Ingestion points: The
WORKSPACE.mdfile, specifically the 'Prerequisites' and 'Health Checks' sections. - Boundary markers: None identified; the skill lacks delimiters or instructions to disregard embedded commands.
- Capability inventory: Arbitrary shell execution via
eval, network access viacurlandwget, and local file system access. - Sanitization: No validation, escaping, or filtering is performed on the commands read from the workspace configuration before execution.
- [NO_CODE]: The script
scripts/doctor.shreferences and sources an external utility filelib/workspace-utils.shwhich is not included in the provided skill package, making its complete behavior unverifiable.
Recommendations
- AI detected serious security threats
Audit Metadata